Lucene search

Veracode Vulnerability DatabaseVERACODE:45491

HistoryFeb 15, 2024 - 7:05 a.m.

Cross-Site Scripting (XSS)

2024-02-1507:05:23

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site scripting

get request

parameter sanitization

admin webui

arbitrary javascript code

browser

super-user permission

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

sidekiq-unique-jobs is vulnerable to Cross-site Scripting (XSS). The vulnerability is due to improper parameter sanitization within GET request to the admin webUI. This allows an attacker with super-user permission to execute arbitrary JavaScript code in the browser.

CPENameOperatorVersion
sidekiq-unique-jobsle8.0.6
sidekiq-unique-jobsle7.1.32
sidekiq-unique-jobsle8.0.6
sidekiq-unique-jobsle7.1.32

Name	Operator	Version
sidekiq-unique-jobs	le	8.0.6
sidekiq-unique-jobs	le	7.1.32
sidekiq-unique-jobs	le	8.0.6
sidekiq-unique-jobs	le	7.1.32

References

github.com/mhenrixon/sidekiq-unique-jobs/commit/cd09ba6108f98973b6649a6149790c3d4502b4cc

github.com/mhenrixon/sidekiq-unique-jobs/commit/ec3afd920c1b55843c72f748a87baac7f8be82ed

github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38